From nobody Mon Mar 20 13:33:48 2023
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PgG0Y09d9z40jwx;
	Mon, 20 Mar 2023 13:33:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PgG0X6Gjvz3P5l;
	Mon, 20 Mar 2023 13:33:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1679319228;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QvOR2636CzVYQ84J0toHQqlsp7HdIzH1PA3F4HXTJws=;
	b=J1qMxBTCzkRb7Z8oLwvJ4vVQ7u3n4YuQ8IGxmnp/+86Vg6OgqDW44O/N2UxxzoW5Tacom7
	p5trAvoCgfwfUDVu8uQOsr3qo6fW8X7tyxyAbbZ+7GXHCvriGKzaEMuMWs/7fzb11WdZPU
	8EO22yflJJgMP/N/0F/vGHy2XVUriKyLkgdUBcYxjYQJgGb7vgHH7yK9Yu/2KTHCt/5ujY
	eIK2BdlKCGApkR4dpR+YqQmCjTLejk60IJwr5pllkw2iPRR7R0Z1AO+bTNX39+9jv0rRNC
	8c82WxSIvhm4L4c1i1UGSnt9bq+113khPhKfvoL4Vmx4ugTUehOILbhnymz6dQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1679319228;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=QvOR2636CzVYQ84J0toHQqlsp7HdIzH1PA3F4HXTJws=;
	b=eB3poN90VkrMhGj5O/n+tnqemFH8nqOTQ+xzu9Kjj2ydgvoxPQ3IvmzEDmxcqnzuD4ocq3
	Y7PUvd6gnHM75jSY2x2zZ6wqBNDUlq+zNQjIKeTqzTWaRiE9T+/v/SkneGcWQv2sMleEvn
	MHzeZfaxA1ogu7NMO8RdStY/Ax1JcTsyxsp3Vsf2v0Wy7Ldy62637PQvjnfwZKRU5BBJl/
	PqbgLb8zXT329rQI5j9BFmeIIhU+rqFtoz5yJpVe8w0g0pBZ7fFK7DBM7y7PX6uZ/H0G5H
	DlQwTbZa04LeXSIGZKtDxd+D089eNC3Bv0MnUld5aV8+jNFYz1+o51oIlICC1Q==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1679319228; a=rsa-sha256; cv=none;
	b=xiNGwao3jgps46BSipN4QOEwptZq6tXBkaFH3zYhSWnuP+crhCYJqalnxYtUiZPxKyonvd
	CH+1/fMmn8H1y9e8wJs+xoLa2RE8y3VoOn3ljH3FPb6FL6soHwePIU2c/aBGZWf5RiK9Hh
	IR7EjJuWPc9eQexGRFReZWQHD29vdpA+nySUpSNgX7QwOMQnjudgvs3krOro6XHhLSvMFb
	Q0lY76Ltgja1SACE4PLODFZ0OpoO/y0TDF7e8yEWluwstyRfX8bWIpGBeAPFCepLYfVtSQ
	sT+JZzvsbd1Jw1y6qiFT6ZwehrZgkjJmUDZegRUoFNadNKQbK8JaVN2yqm/cvA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PgG0X5P4DzXJM;
	Mon, 20 Mar 2023 13:33:48 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 32KDXmFf073697;
	Mon, 20 Mar 2023 13:33:48 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 32KDXmnB073696;
	Mon, 20 Mar 2023 13:33:48 GMT
	(envelope-from git)
Date: Mon, 20 Mar 2023 13:33:48 GMT
Message-Id: <202303201333.32KDXmnB073696@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 795fda214f11 - stable/13 - netinet: Tighten checks for unspecified source addresses
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 795fda214f11ebb58b335fd064f736708df6b3ff
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=795fda214f11ebb58b335fd064f736708df6b3ff

commit 795fda214f11ebb58b335fd064f736708df6b3ff
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2023-03-06 20:06:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2023-03-20 13:00:56 +0000

    netinet: Tighten checks for unspecified source addresses
    
    The assertions added in commit b0ccf53f2455 ("inpcb: Assert against
    wildcard addrs in in_pcblookup_hash_locked()") revealed that protocol
    layers may pass the unspecified address to in_pcblookup().
    
    Add some checks to filter out such packets before we attempt an inpcb
    lookup:
    - Disallow the use of an unspecified source address in in_pcbladdr() and
      in6_pcbladdr().
    - Disallow IP packets with an unspecified destination address.
    - Disallow TCP packets with an unspecified source address, and add an
      assertion to verify the comment claiming that the case of an
      unspecified destination address is handled by the IP layer.
    
    Reported by:    syzbot+9ca890fb84e984e82df2@syzkaller.appspotmail.com
    Reported by:    syzbot+ae873c71d3c71d5f41cb@syzkaller.appspotmail.com
    Reported by:    syzbot+e3e689aba1d442905067@syzkaller.appspotmail.com
    Reviewed by:    glebius, melifaro
    MFC after:      2 weeks
    Sponsored by:   Klara, Inc.
    Sponsored by:   Modirum MDPay
    Differential Revision:  https://reviews.freebsd.org/D38570
    
    (cherry picked from commit 713264f6b8bc5f927dd52cf8ffcccfa397034fec)
---
 sys/netinet/in_pcb.c    | 2 ++
 sys/netinet/ip_input.c  | 5 +++++
 sys/netinet/tcp_input.c | 8 ++++++++
 sys/netinet6/in6_pcb.c  | 2 ++
 4 files changed, 17 insertions(+)

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 55fa795457cb..d10bd9b32e89 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -1338,6 +1338,8 @@ in_pcbladdr(struct inpcb *inp, struct in_addr *faddr, struct in_addr *laddr,
 	}
 
 done:
+	if (error == 0 && laddr->s_addr == INADDR_ANY)
+		return (EHOSTUNREACH);
 	return (error);
 }
 
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 750ddfc3a46f..2cfd3c544c72 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -515,6 +515,11 @@ ip_input(struct mbuf *m)
 			goto bad;
 		}
 	}
+	/* The unspecified address can appear only as a src address - RFC1122 */
+	if (__predict_false(ntohl(ip->ip_dst.s_addr) == INADDR_ANY)) {
+		IPSTAT_INC(ips_badaddr);
+		goto bad;
+	}
 
 	if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) {
 		sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID);
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 1c2fe014c7f3..9bc9923530e0 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -715,6 +715,8 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port)
 		 * Note that packets with unspecified IPv6 destination is
 		 * already dropped in ip6_input.
 		 */
+		KASSERT(!IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_dst),
+		    ("%s: unspecified destination v6 address", __func__));
 		if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
 			/* XXX stat */
 			goto drop;
@@ -783,6 +785,12 @@ tcp_input_with_port(struct mbuf **mp, int *offp, int proto, uint16_t port)
 			TCPSTAT_INC(tcps_rcvbadsum);
 			goto drop;
 		}
+		KASSERT(ip->ip_dst.s_addr != INADDR_ANY,
+		    ("%s: unspecified destination v4 address", __func__));
+		if (__predict_false(ip->ip_src.s_addr == INADDR_ANY)) {
+			/* XXX stat */
+			goto drop;
+		}
 	}
 #endif /* INET */
 
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 02fd3dff2ad7..ab04d402cf96 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -376,6 +376,8 @@ in6_pcbladdr(struct inpcb *inp, struct sockaddr_in6 *sin6,
 	NET_EPOCH_EXIT(et);
 	if (error)
 		return (error);
+	if (IN6_IS_ADDR_UNSPECIFIED(&in6a))
+		return (EHOSTUNREACH);
 
 	/*
 	 * Do not update this earlier, in case we return with an error.